Mozilla Foundation Security Advisory 2008-28

Arbitrary socket connections with Java LiveConnect on Mac OS X

Announced

July 1, 2008

Reporter

Gregory Fleischer

Impact

High

Products

Firefox, SeaMonkey

Fixed in

Firefox 2.0.0.15

Firefox 3

SeaMonkey 1.1.10

Description

Security researcher Gregory Fleischer reported a
vulnerability in the way Mozilla indicates the origin of a document to the
Java Embedding Plugin (JEP) that ships with Firefox on Mac OS X. This
vulnerability could allow a malicious Java applet to bypass the same-origin
policy and create arbitrary socket connections to other domains.

Workaround

Disable Java on Mac OS X until a version containing these fixes can be installed.